Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Installing Gatekeeper

Written by
Improved by
Updated at May 5, 2025

Gatekeeper is a customizable policy controller and auditor for Kubernetes. Gatekeeper accepts incoming requests to clusters and validates them in real time to make sure they comply with predefined policies.

Getting started

Make sure that the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If any rule is missing, add it.

Warning

The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

Installation using Yandex Cloud Marketplace

  1. Navigate to the folder dashboard and select Managed Service for Kubernetes.

  2. Click the name of the cluster you need and select the Marketplace tab.

  3. Under Application available for installation, select Gatekeeper and click Go to install.

  4. Configure the application:

    • Namespace: Create a new namespace, e.g., gatekeeper-space. If you leave the default namespace, Gatekeeper may work incorrectly.

    • Application name: Specify the application name.

    • Audit interval: Set the interval between audits in seconds. 0 disables audits.

    • Constraint violations limit: Set the maximum number of violations to be logged for each constraint.

    • Only matching resource types: Select this option if you need to validate only those Kubernetes resource types for each constraint that are explicitly specified in the constraint. If no resource types are specified or the option is disabled, all resources will be validated.

    • Create events at audit: Select this option to create a Kubernetes event for each constraint violation detected during the audit, with detailed information about the violation.

    • Events in affected namespace: Select this option if events with violation details should be created in the namespace in which a constraint violation was logged. Only applies if the Create events at audit option is enabled.

      If the Events in affected namespace option is disabled, events will be created in the namespace in which Gatekeeper is installed.

    • Allow external data: Select this option to enable experimental support of external data sources.

  5. Click Install.

  6. Wait for the application to change its status to Deployed.

Installation using a Helm chart

  1. Install kubect and configure it to work with the new cluster.

  2. Install Helm v3.8.0 or higher.

  3. To install a Helm chart with Gatekeeper, run the following command:

    helm pull oci://cr.yandex/yc-marketplace/gatekeeper \
  --version 3.12.0 \
  --untar && \
helm install \
  --namespace <namespace> \
  --create-namespace \
  gatekeeper ./gatekeeper/

If you set namespace to the default namespace, Gatekeeper may work incorrectly. We recommend you to specify a value different from all existing namespaces (e.g., gatekeeper-space).

You can redefine optional parameters in the install command using the following key: --set <parameter_name>=<new_value>.

See the table below for a list of redefinable parameters and their default values:

Parameter name Description Default value
auditInterval Interval between audits in seconds 60
constraintViolationsLimit Maximum number of violations to be logged for each constraint 20
auditMatchKindOnly Only matching resource types false
emitAuditEvents Creating events during audit false
auditEventsInvolvedNamespace Creating events in the affected namespace false
enableExternalData Experimental support of external data sources true

See also

Previous
Installing Fluent Bit
Next
Installing Gateway API